March 2023
Changes and Improvements
-
The new CertStoreContainer certificate search field shows certificates in a certificate store that is included in the certificate store container specified by the search criteria.
-
The Keyfactor Bash Orchestrator
The Bash Orchestrator, one of Keyfactor's suite of orchestrators, is used to discover and manage SSH keys across an enterprise. added additional support for using an SSSD user store (e.g. Active Directory) on requests to create logons and distribute key information, allowing keys to be managed for domain users. Domain users can be managed with or without preexisting home directories. -
Added the ability to use any symbols when creating a new SSH
The SSH (secure shell) protocol provides for secure connections between computers. It provides several options for authentication, including public key, and protects the communications with strong encryption. logon. This is required in order to facilitate creating a logon for an AD user using SSSD. -
The Universal Orchestrator
Keyfactor orchestrators perform a variety of functions, including managing certificate stores and SSH key stores. now communicates with IIS certificate stores over TCP port 445 rather then using WinRM and default ports 5985/5986. -
The BASH Orchestrator now returns improved warning messages on the Job History page. See SSH-Bash Orchestrator Job History Warning Resolution.
Updates and Fixes
-
Update: The Keyfactor Bash Orchestrator now adds the command restorecon to the list of commands the orchestrator service account is allowed to execute via sudo on servers running SELinux.
-
Update: The Keyfactor Bash Orchestrator now trims Windows line breaks from JSON payloads on send and receive and ignores any data in the authorized_keys file that is not a key (e.g. a comment).
-
Update: An application setting—Enable Legacy Encryption—has been added to enable/disable the use of legacy encryption methods in PFX
A PFX file (personal information exchange format), also known as a PKCS#12 archive, is a single, password-protected certificate archive that contains both the public and matching private key and, optionally, the certificate chain. It is a common format for Windows servers. enrollment Certificate enrollment refers to the process by which a user requests a digital certificate. The user must submit the request to a certificate authority (CA).. When the value is set to true, the historical algorithm set (3DES/SHA1/RC2) is used for PFX enrollments. When the value is set to false, the newer algorithm set provided by Windows (AES256/SHA256/AES256) is used instead. The default is false. -
Update: A script has been added to allow the Keyfactor CA
A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. Policy Module to be upgraded from versions prior to 10.0 and retain existing configuration. -
Fix: EJBCA certificates with a leading zero in the serial number could not be revoked; an attempt to do so generated an error.
-
Fix: EJBCA CA Config will give a notification if the certificate you selected doesn't meet requirements, and indicate exactly what the requirements are and what your certificate is lacking.
-
Fix: The GET /SSL
TLS (Transport Layer Security) and its predecessor SSL (Secure Sockets Layer) are protocols for establishing authenticated and encrypted links between networked computers. API An API is a set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command. endpoint An endpoint is a URL that enables the API to gain access to resources on a server. was returning duplicate records. -
Fix: The DELETE /Workflow
A workflow is a series of steps necessary to complete a process. In Keyfactor Command, it refers to the workflow builder, which allows you to automate event-driven tasks such as when a certificate is requested, revoked or found in a certificate store./Defintions/{id} API endpoint was returning an error if the workflow contained steps. -
Fix: Expiration alert tests displayed a blank dialog if the alert was configured with no recipients.
-
Fix: The Keyfactor Bash Orchestrator install failed when the service account was provided an extremely long password.
Known Issues
-
The dashboard will throw a secure key error if you let the dashboard sit idle for around 20 minutes. The temporary work-around is to refresh the page. It will be investigated in 11 for a possible fix.
-
Because a “+” (plus sign) in a URL can represent either a space or a “+”, Keyfactor Command has chosen to read “+” as a space. For CRL
A Certificate Revocation List (CRL) is a list of digital certificates that have been revoked by the issuing Certificate Authority (CA) before their scheduled expiration date and should no longer be trusted. URLs that require a “+” (plus sign), rather than a space, replace plus signs in your CRL's URL with “%2B”. Only replace the plus signs you don't wish to be treated as a space. -
A user without Global Certificates - Read and Global Certificates – Import will see a permission error dialog when attempting to view an enrollment workflow instance that has completed. The only impact of this error is that it will result in the certificate’s information not being parsed in the Instance Review dialog. Users should not need these permissions to view their completed workflow instances, and so should not be seeing this error. This will be fixed in the next Keyfactor Command release. The raw data is still present. As a workaround, if a user wants to see the parsed data for that certificate, they would have to use the KeyfactorId (found on the workflow instance) in the certificate search page using the CertId.
API Endpoint Change Log
No API endpoint changes were made in this release.
Was this page helpful? Provide Feedback